Where is the best place to put form validation

Question

OK, so I come from an Flex/ActionScript back ground, since this field is slowly dieing I figure its time to move onto full time PHP.
Anyway, I think I have a pretty good understanding of the Zend framework(most places I worked for used it). However, they used it mostly just for the table abstract class so it really wasn't a good MVC practice, more like just Model.
Going on interviews I almost always get asked where does the form validation happen.
Now I know zend has built in form validaters I am not talking about that.
I am talking about a standard HTML form built in a view and submitted to the server.

The question I want to know is, is it better done in the control or in the model.

And also why use zend_form at all, to me it seems like it would be hard for a designer to make it sexy.

Answer 1

Validation's are part of model since it knows about business logic of validating some entity but used inside controller .

Zend_Form comes with decorator's like ViewScript which enables desinger to make it sexy and make developer job of validating , filtering , populating form inputs breeze .

Answer 2

If you are attaching validators to form elements the form is validated in the controller and can be checked using a simple if() loop:

if($form->isValid($postData)) {
    //do some stuff
}

otherwise you can validate a simple html form or other input in the controller using Zend_Filter_Input :

//set filters and validators for Zend_Filter_Input
    $filters = array(
        'id' => array('HtmlEntities', 'StripTags')
    );

    $validators = array(
        'id' => array('NotEmpty', 'Int')
    );

    //assign Input
    $input = new Zend_Filter_Input($filters, $validators);
    $input->setData($this->getRequest()->getParams());
if ($input->isValid()) {
//do some stuff
}

either way you want to do at least basic validation and filtering in the controller to try and prevent cross site scripting and sql injection.
You can always do deeper validation and filtering in your domain models if required.

As far as why use Zend_Form, it's not as bad as it may first appear. The ability to attach validators and filters with custom messages is very useful to some people. The decorators while difficult in the beginning can put to good use with practice. Also you cheat and just use the viewScript() decorator (Like I usually do). The viewScript decorator provides a lot of control in more more familiar form.

Here is an example:

//The Form
class Application_Form_Search extends Zend_Form
{
    public function init() {
        $this->setMethod('POST');
        $this->setDecorators(array(
            array('ViewScript', array(
                    'viewScript' => '_searchForm.phtml'//the partial script used as a decorator
            ))
        ));
        // create new element
        $query = $this->createElement('text', 'query');
        // element options
        $query->setLabel('Search Keywords');
        $query->setAttribs(array('placeholder' => 'Artist or Title',
            'size' => 27,
        ));
        // add the element to the form
        $this->addElement($query);

        $submit = $this->createElement('submit', 'search');
        $submit->setLabel('Search Site');
        $submit->setDecorators(array('ViewHelper'));
        $this->addElement($submit);
    }
}

The Partial Script:

<article class="search">
    <form action="<?php echo $this->element->getAction() ?>"
          method="<?php echo $this->element->getMethod() ?>">
        <table>
            <tr>
                <th><?php echo $this->element->query->renderLabel() ?></th>
            </tr>
            <tr>
                <td><?php echo $this->element->query->renderViewHelper() ?></td>
            </tr>
            <tr>
                <td><?php echo $this->element->search ?></td>
            </tr>
        </table> 
    </form>
</article>

as you can see this would be much more familiar to code and much easier for a designer to style.

Hope this helps, Good Luck...